Ryan Linn continues his insiders look at Offensive Security's online training in Part 4 of this continuing review of 'Pentesting with BackTrack.' As a reminder, PWB is described by Offensive Security as, "An online course designed for network administrators and security professionals who need to get acquainted with the world of offensive security. This penetration testing course introduces the latest hacking tools and techniques, and includes remote live labs for exercising the material presented to the students. This course gives a solid understanding of the penetration testing process, and is equally important for those wanting to either defend or attack their network. The course can be taken from your home, as long as you have a modern computer with high speed internet."

Ryan brings it all together for you next month with a complete review of the course as well as the exam experience. Stay tuned.

I was wondering how does this course of Offensive Security stack up against SANS.org and their courses? I mean PWB is much cheaper, but does it offer the same or more or just different? If you would pit the two against each other who would win?

Guerreiro wrote:I was wondering how does this course of Offensive Security stack up against SANS.org and their courses? I mean PWB is much cheaper, but does it offer the same or more or just different? If you would pit the two against each other who would win?

It's not so much about who would win per se. I think both courses complement each other. The Sans courses cover a lot of the areas not covered in the OSCP. One such area is the business side of things. Setting up the rules of engagement, various laws etc.

Neither. I started out doing the CEH, then progressed to the OSCP and then finally the GPEN.

If your only two options were the OSCP and GPEN I would probably shoot for the GPEN. Simply because the GPEN does a lot of hand holding. With the OSCP you are left to do a lot of the stuff on your own. Sure there are guys on the irc channel but you will not be spoon fed. The OSCP encourages you to do your own research. And it can get get quite frustrating at times.

My opinion only, and note, I have not yet taken both, but this goes from what I've seen in demo's and samples of each, as well as from folks I've spoken with, who HAVE taken both.

(And I agree with what Dark_Knight JUST responded...)

Cost-wise, obviously OSCP it better. (MUCH cheaper) Thus, if you're not 'absolutely' certain you want to be a pentester, or want to see just how much you might get into and learn, it'd be a more affordable way to begin. That way, if you feel over your head and decide against it, you're not out the SANS-type money. But if you truly want to have opportunity to learn and understand more, SANS might be the better route, especially if you're willing to go to one of the bootcamps, as the ability to interact directly with an instructor, for info you may or may not understand, is very valuable, in and of itself. BOTH will be technically challenging, and both will introduce you to concepts, methodologies, etc. As previously noted by Dark_Knight, the legalities, etc, are also nice to gain from the SANS offerings.

We really cannot tell you which is better for a 'beginner' as it depends on you. If you're a GREAT self-learner, then a 60-day lab package and OSCP might be good for you, as it gives you a LOT of lab time, and hands-on practice with tools and ideas, while still affording you the ability to email the instructors and irc with other students, etc. But if you learn better from more 'regular' interaction with instructors, in more of a class setting, then I'd definitely be leaning towards SANS to start with. (Additionally, if you do opt for a bootcamp, you also have many other folks at the SAME point in the class as you, to openly discuss with and network with during the course.)

Ultimately, to answer your question, I don't think either would 'win', and that each is tailored for it's own learning style and methods. Personally, if you can afford one or the other, in my opinion, I'd do both (the extra for OSCP isn't THAT much above the SANS, anyway...) Then you'll get it all.

My 2 cents, anyway...

~ hayabusa ~

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'

First off I would like to thank both of you esteemed gentlemen for answering in such a timely fashion and with such a clear answer as well.

Well beginner is maybe a vague word, as for me personally I am now studying how to use Linux with books of the Internet. This is pure self study no holding hands and I must say I am doing all right. I also obtained a copy of old lessons of OSCP back when it was called Offensive Security 101, still using BackTrack 2. I was not daunted by their information, but I understand what you are saying. I will take your advice with me as I contemplate what to do. Also can any of you two give me any extra advice on how to get maybe a small headstart, say learn Python scripting or some such.

So Assembly, Perl and Python. At the moment I am working on learning Shell Scripting with BASH. Also OllyDBG, I am still not exactly sure how and where to use this but that is why they invented : RTFM.

Sounds like you have a good head on your shoulders, and are understanding the points we've given you. Even the general BASH knowledge will help you, greatly, with the ability to script connections using netcat, ssh and other tools, gather data, and to make quick work of things.

In the NetWars cyber challenge, going on again, right now, one of the first lessons I taught another participant was how to BASH script some of his tasks, as, if you connected through their SSH tunnel, and were not quick enough at coming up with (or typing in) what you wanted to do next, some of the other players would snipe your connection, promptly, and you'd be fighting, just to stay connected, let alone to connect long enough to score points or even learn. With the BASH scripts, if you had everything chained together properly, you could accomplish your network reconnaissance and some attacks quickly and painlessly, before they could catch you and snipe you. This translates into real world pentesting, too, as if you are a capable scripter, you can pull many of these tasks off, quickly, clear logs and erase your tracks, and be out before many of your clients even knew you were in. (So yes, BASH is a good one to know!)

~ hayabusa ~

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'

Thanks for the compliment . I am working 40+/hrs in the week and then studying on the side can all be very exhausting. Just grabbed some O'Reilly books for the Perl and Python. Anybody here got a great book that works, or a site with tutorials?